CVE-2025-53221

Vulnerability

Description The CodeablePress Simple Frontend Profile Picture Upload plugin for WordPress (versions up to and including 1.0.2) contains a missing authorization vulnerability. The plugin fails to properly verify user permissions or nonce tokens before processing file uploads, allowing any visitor to trigger the profile picture upload functionality without authentication.

Exploitation

Details An attacker can send a crafted HTTP request directly to the upload handler, bypassing any access control checks that should restrict uploads to logged-in users. No WordPress account or elevated privileges are required. The plugin's insecure configuration of access control security levels opens the attack surface to unauthenticated requests.

Impact

Successful exploitation allows an unauthenticated attacker to upload arbitrary files (e.g., PHP web shells) to the WordPress server. This can lead to remote code execution, site defacement, or data theft. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites simultaneously.[1]

Mitigation

The vendor has not released a patched version; the current latest version (1.0.2) remains affected. As immediate mitigation, site administrators should disable and remove the plugin until a fix is available. The vulnerability has been publicly disclosed and is likely to be actively scanned by attackers.[1]